6:[["$","$Le",null,{}],["$","div",null,{"className":"min-h-screen bg-gray-100 p-6","children":[["$","$Lf",null,{}],["$","script",null,{"type":"application/ld+json","dangerouslySetInnerHTML":{"__html":"{\"@context\":\"https://schema.org\",\"@type\":\"QAPage\",\"mainEntity\":{\"@type\":\"Question\",\"name\":\"SQLite table name parameter\",\"text\":\"

I'm trying to replace some of my string insertions with parameters.\\nSo I have this code that executes the query:

\\n\\n

cursor.execute(\\\"DELETE FROM %s WHERE COL=%s\\\" % (\\\"tablename\\\",\\\"column\\\"))\\n

\\n\\n

I can replace it with

\\n\\n

cursor.execute(\\\"DELETE FROM tablename WHERE COL=?\\\" , (\\\"column\\\"))\\n

\\n\\n

But I want my tablename to be in a variable. How can I protect insertion of a variable for a table from sql injections?

\\n\",\"author\":{\"@type\":\"Person\",\"name\":\"akalikin\"},\"upvoteCount\":4,\"answerCount\":1,\"acceptedAnswer\":null}}"}}],["$","div",null,{"className":"bg-white shadow-md rounded-lg p-6 mb-6 relative","children":[["$","div",null,{"className":"absolute top-4 right-4 flex flex-wrap space-x-2","children":[["$","span","python",{"className":"bg-blue-600 text-white text-sm px-3 py-1 rounded-full","children":["$","$L10",null,{"href":"/discussion/tag/python/1","children":"python"}]}],["$","span","sqlite",{"className":"bg-blue-600 text-white text-sm px-3 py-1 rounded-full","children":["$","$L10",null,{"href":"/discussion/tag/sqlite/1","children":"sqlite"}]}]]}],["$","div",null,{"className":"flex items-center mb-4","children":[["$","img",null,{"src":"https://www.gravatar.com/avatar/a0127be1eaeb8927c1bcba11cd9641f9?s=256&d=identicon&r=PG","alt":"akalikin","className":"w-16 h-16 rounded-full border"}],["$","div",null,{"className":"ml-4","children":[["$","a",null,{"href":"https://stackoverflow.com/users/2407413/akalikin","target":"_blank","rel":"noopener noreferrer","className":"text-lg font-semibold text-blue-600 hover:underline","children":"akalikin"}],["$","p",null,{"className":"text-sm text-gray-500","children":["Reputation: ",1127]}]]}]]}],["$","h1",null,{"className":"text-2xl font-bold text-gray-800 mb-4","children":"SQLite table name parameter"}],["$","p",null,{"className":"text-gray-700 mt-4","dangerouslySetInnerHTML":{"__html":"

I'm trying to replace some of my string insertions with parameters.\nSo I have this code that executes the query:

\n\n

cursor.execute(\"DELETE FROM %s WHERE COL=%s\" % (\"tablename\",\"column\"))\n

\n\n

I can replace it with

\n\n

cursor.execute(\"DELETE FROM tablename WHERE COL=?\" , (\"column\"))\n

\n\n

But I want my tablename to be in a variable. How can I protect insertion of a variable for a table from sql injections?

\n"}}],["$","div",null,{"className":"text-gray-600 text-sm mt-4","children":[["$","p",null,{"children":["Upvotes: ",4]}],["$","p",null,{"children":["Views: ",1627]}]]}]]}],["$","div",null,{"className":"container mx-auto","children":[["$","h2",null,{"className":"text-2xl font-semibold text-gray-800 mb-6","children":["Answers (",1,")"]}],[["$","div","31657185",{"className":"bg-white shadow-md rounded-lg p-6 mb-6","children":[["$","div",null,{"className":"flex items-center mb-4","children":[["$","img",null,{"src":"https://i.sstatic.net/0I3cO.png?s=256","alt":"ezig","className":"w-12 h-12 rounded-full border"}],["$","div",null,{"className":"ml-4","children":[["$","a",null,{"href":"https://stackoverflow.com/users/3183737/ezig","target":"_blank","rel":"noopener noreferrer","className":"text-lg font-semibold text-blue-600 hover:underline","children":"ezig"}],["$","p",null,{"className":"text-sm text-gray-500","children":["Reputation: ",1229]}]]}]]}],["$","p",null,{"className":"text-gray-700 mb-4","dangerouslySetInnerHTML":{"__html":"

If your goal is to make sure that the variable is the name of a valid table, you can get a list of table names using

SELECT name FROM sqlite_master WHERE type='table'

And then check to see if the variable from the config file matches one of the tables. This avoids having to hardcode a list of tables.

\n"}}],["$","div",null,{"className":"text-gray-600 text-sm","children":["$","p",null,{"children":["Upvotes: ",1]}]}]]}]]]}],["$","div",null,{"className":"bg-white shadow-md rounded-lg p-6 mt-6","children":[["$","h2",null,{"className":"text-2xl font-semibold text-gray-800 mb-4","children":"Related Questions"}],["$","ul",null,{"className":"list-disc list-inside","children":[["$","li","3247183",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/3247183","className":"text-blue-600 hover:underline","children":"Variable table name in sqlite"}]}],["$","li","66006606",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/66006606","className":"text-blue-600 hover:underline","children":"How to let user input TABLE name in sqlite3, python3?"}]}],["$","li","71364450",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/71364450","className":"text-blue-600 hover:underline","children":"SQLite creating table name using a variable"}]}],["$","li","67590934",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/67590934","className":"text-blue-600 hover:underline","children":"string variable as sqlite table name"}]}],["$","li","64643439",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/64643439","className":"text-blue-600 hover:underline","children":"Renaming tables in SQLite with variable names"}]}],["$","li","39166102",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/39166102","className":"text-blue-600 hover:underline","children":"Can't create an SQL Table in Python using input as name"}]}],["$","li","28650999",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/28650999","className":"text-blue-600 hover:underline","children":"Naming a table in sqlite3"}]}],["$","li","19193851",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/19193851","className":"text-blue-600 hover:underline","children":"Being that string substitution is frowned upon with forming SQL queries, how do you assign the table name dynamically?"}]}],["$","li","18628420",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/18628420","className":"text-blue-600 hover:underline","children":"Sqlite3 statement creating table named parameters"}]}],["$","li","11460821",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/11460821","className":"text-blue-600 hover:underline","children":"sqlite3 python parameter passing issue"}]}]]}]]}]]}],["$","$L11",null,{}],["$","$L12",null,{}],["$","$L13",null,{}],["$","$L14",null,{}],["$","$L15",null,{}]]

SQLite table name parameter

Answers (1)

Related Questions